Improve naming of AWS service access generator objects and related pr…

…operty
k9securityio · Jun 24, 2024 · d021343 · d021343
1 parent 7fcbd9a
commit d021343
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 14 deletions.
diff --git a/src/k9policy.ts b/src/k9policy.ts
@@ -43,7 +43,7 @@ export interface IAccessSpec {
   test?: ArnConditionTest;
 }
 
-export interface IServiceAccessSpec {
+export interface IAWSServiceAccessGenerator {
   makeAllowStatements(): Array<PolicyStatement>;
 
   makeConditionsToExceptFromDenyEveryoneElse(): Conditions;

diff --git a/src/s3.ts b/src/s3.ts
@@ -11,7 +11,7 @@ import { BucketEncryption } from 'aws-cdk-lib/aws-s3';
 import { IBucket } from 'aws-cdk-lib/aws-s3/lib/bucket';
 import { IConstruct } from 'constructs';
 import * as aws_iam_utils from './aws-iam-utils';
-import { AccessCapability, IAccessSpec, IServiceAccessSpec, K9PolicyFactory } from './k9policy';
+import { AccessCapability, IAccessSpec, IAWSServiceAccessGenerator, K9PolicyFactory } from './k9policy';
 
 /**
  * Configure the k9 Security S3 Bucket policy generator with the K9BucketPolicyProps.
@@ -46,13 +46,12 @@ export interface K9BucketPolicyProps extends s3.BucketPolicyProps {
   readonly publicReadAccess?: boolean;
 
   /**
-   * (Optionally) Allow the specified CloudFront distribution read access to the bucket using CloudFront OAC.
+   * An (optional) array of IAWSServiceAccessGenerator instances which will generate statements to allow access to the
+   * bucket or bucket object(s) by an AWS service like CloudFront or Kinesis.
    *
    * @default undefined
    */
-  readonly allowCloudFrontDistributionReadAccess?: string;
-
-  readonly k9DesiredAWSServiceAccess?: Array<IServiceAccessSpec>;
+  readonly awsServiceAccessGenerators?: Array<IAWSServiceAccessGenerator>;
 }
 
 let SUPPORTED_CAPABILITIES = new Array<AccessCapability>(
@@ -68,7 +67,7 @@ export const SID_DENY_UNENCRYPTED_STORAGE = 'DenyUnencryptedStorage';
 export const SID_ALLOW_PUBLIC_READ_ACCESS = 'AllowPublicReadAccess';
 export const SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS = 'AllowCloudFrontOACReadAccess';
 
-export class CloudFrontOACReadAccess implements IServiceAccessSpec {
+export class CloudFrontOACReadAccess implements IAWSServiceAccessGenerator {
   readonly bucket: IBucket;
   readonly distributionArn: string;
 
@@ -91,7 +90,8 @@ export class CloudFrontOACReadAccess implements IServiceAccessSpec {
   }
 
   makeConditionsToExceptFromDenyEveryoneElse(): Conditions {
-    // return  {"Operator": { "keyInRequestContext": "value" } }
+    // return a (TypeScript) Record of the form:
+    //     {"Operator": { "keyInRequestContext": "value" } }
     return { StringNotEqualsIfExists: { 'aws:PrincipalServiceName': 'cloudfront.amazonaws.com' } };
   }
 }
@@ -157,8 +157,8 @@ export function grantAccessViaResourcePolicy(scope: IConstruct, id: string, prop
     );
   }
 
-  if (props.k9DesiredAWSServiceAccess) {
-    for (let serviceAccessSpec of props.k9DesiredAWSServiceAccess) {
+  if (props.awsServiceAccessGenerators) {
+    for (let serviceAccessSpec of props.awsServiceAccessGenerators) {
       let allowStatements:Array<PolicyStatement> = serviceAccessSpec.makeAllowStatements();
       k9Statements.unshift(...allowStatements);
     }
@@ -194,8 +194,8 @@ export function grantAccessViaResourcePolicy(scope: IConstruct, id: string, prop
   denyEveryoneElseStatement.addCondition(denyEveryoneElseTest,
     { 'aws:PrincipalArn': [...allAllowedPrincipalArns] });
 
-  if (props.k9DesiredAWSServiceAccess) {
-    for (let serviceAccessSpec of props.k9DesiredAWSServiceAccess) {
+  if (props.awsServiceAccessGenerators) {
+    for (let serviceAccessSpec of props.awsServiceAccessGenerators) {
       let conditionsToExceptFromDenyEveryoneElse = serviceAccessSpec.makeConditionsToExceptFromDenyEveryoneElse();
       let conditionOps = Object.keys(conditionsToExceptFromDenyEveryoneElse) as Array<string>;
       for (let conditionOp of conditionOps) {

diff --git a/test/k9.test.ts b/test/k9.test.ts
@@ -7,7 +7,7 @@ import * as cdk from 'aws-cdk-lib/core';
 import { RemovalPolicy } from 'aws-cdk-lib/core';
 import { fail, stringifyPolicy } from './helpers';
 import * as k9 from '../lib';
-import { AccessCapability, IAccessSpec, IServiceAccessSpec } from '../lib/k9policy';
+import { AccessCapability, IAccessSpec, IAWSServiceAccessGenerator } from '../lib/k9policy';
 import { K9KeyPolicyProps, SID_ALLOW_ROOT_AND_IDENTITY_POLICIES, SID_DENY_EVERYONE_ELSE } from '../lib/kms';
 import {
   K9BucketPolicyProps,
@@ -265,7 +265,7 @@ test('K9BucketPolicy - allow CloudFront OAC', () => {
     ),
     encryption: BucketEncryption.S3_MANAGED,
 
-    k9DesiredAWSServiceAccess: new Array<IServiceAccessSpec>(
+    awsServiceAccessGenerators: new Array<IAWSServiceAccessGenerator>(
       new CloudFrontOACReadAccess(bucket, expectDistributionArn),
     ),
   };